The hacker market, far from being a series of ad hoc, disparate networks powered by ego and fame, is a market with many similarities to other markets in free economies, a survey from Juniper Networks said.

The report, conducted by RAND Corporation through a series of two dozen interviews between October and December 2013, said that there were five indicators of the maturity of the market — sophistication, specialisation, reliability, accessibility, and resilience to external events — and that the hacking market has potential to be more profitable than the illicit drug trade due to the links to users being more direct, few requirements to getting started in the economy, and the worldwide distribution available.

"I don't think people expect to see it so mature," Greg Bunt, Juniper director of APAC security sales, told ZDNet.

"Rather than it being described as a black market, I think it needs to be described as a pretty fully-featured, and fully-rich economy with payment systems, policing — all the sorts of things that you would see in a traditional economy, we see that permeate through this as well."

Mirroring aspects of a traditional economy, the survey found that products sold by exploit vendors, often arrived complete with usage terms, tracking functionality, and enforcement functionality.

"Vendors often guarantee their products' lifespan or value — for example, guaranteeing a particular malware variant is good for ten hours before detection by antivirus products, or that a credit card is good for a certain amount of money — and some can track what a customer does with their product to make sure 'terms of use' are not broken — a sort of 'digital rights management'," the report said.

"For example, a vendor might label and track each install sold, with the ability to shut down anyone who is making too much noise by infecting too many victim machines."

As to the structure of the economy, while any computer-literate actor can enter it, the higher echelons of the market are highly vetted, highly structured, and policed. At the top of the market's structure, where all the profit is, are administrators and subject-matter experts, followed by vendors, brokers, and intermediaries, and at the bottom of the market are general members of the community and mules.

Image: RAND

Mules can be willing or unwilling actors, and are responsible for turning the stolen assets into usable money, such as conducting wire transfers, or shipping goods overseas.

"One expert noted that witting mules are the 'linchpin' of the system, as they tend to be closest to turning 'the take' of an attack into actual disbursements of money," the report said. "Thus, participating as a mule can be lucrative."

Geographically, the report said that different groups operate in different attack spaces.

"There are Vietnamese groups that mainly focus on eCommerce, whereas a majority of Russians, Romanians, Lithuanians, Ukrainians, and other Eastern Europeans mainly focus on attacking financial institutions. Chinese hackers are believed to focus more on IP."

"In terms of quantity, the leaders in malware attacks are China, Latin America, and Eastern Europe; Russia leads in terms of quality."

Image: RAND

The ability of the exploit market to route around damage, and be resilient to takedowns of facilities, was also pointed out.

"Finding comparable replacements for market leaders like the Blackhole Exploit Kit or the Silk Road may take a few iterations, but substitutes appear almost immediately as competing forums constantly vie for market share," the report said.

"Although suspicion and 'paranoia' spike among participants, and some countermeasures are enacted — such as stronger encryption, more vetting, increased stealth, etc — the market just hiccups and returns to normal, albeit a somewhat less accessible and less open version of normal."

Looking ahead, the report states that the attackers will be ahead in security arms race, while large entities are able to secure themselves, smaller businesses will not be able to keep pace; with exploits for mobile devices and social networks will continue to grow.

"The development of mobile malware for Android devices — 70 percent of all mobile attacks — is likely to continue until Google, device manufacturers, and service providers work together to find a way of delivering updates and patches to users as they come out — only 12 percent of Android devices have been updated to the versions that prevent premium SMS charges being run up on the phones of unsuspecting users."

In response, Bunt said that Juniper would be looking to disrupt the economics of the hacker market, and will be looking to frustrate individuals that are probing, often automatically, for an exploitable target.

"Because there is such an expanded attack service now, I've only got to frustrate the individual who is doing that early forensics just a little bit, in order for them to move onto someone else," Bunt said.

"If you are doing this professionally, in this open market way, you are in it for money, and in order to monetise that you have got to move quickly to get whatever part you bring to that black market."